I guess it's good Google hasn't succeeded in forcing people to renew certificates every 8 hours (yet)

In theory 8 hours of downtime should be fine for a CA. Obviously not ideal, but the pki system is not meant to be a live system.

That feeling when you have to suspend production service until the time lock safe can be opened.

The same amount of time it feels like it takes for my google functions to deploy.